MEF speaks to Director of Product Management at FICO Adam Barrett about why the company has joined MEF’s Trust in Enterprise Messaging programme and what they are doing to combat fraud in messaging.
Until about 60 years ago, if you wanted to borrow some money, the decision came down to one man (almost always a man).
Your bank manager.
And he might well decline you. Why? Well, maybe he had taken a good look at your records and made a considered decision. Or maybe he was having a bad day. Or maybe he just didn’t like your face.
Clearly, the whole system was imperfect. And time consuming.
So when FICO came along in 1956 with a system that could crunch account data to make an automated decision for every borrower, it had a clear run.
Here was a process that was quick, inexpensive and absent of quirky human bias. Lenders quickly adopted it.
In 1989 FICO went further. It launched a process for scoring its decisions. FICO scores have since become an industry standard. Today, they are used in nine out of even ten US lending decisions.
However, FICO now does much more than credit ratings. It describes itself as a ‘decision making analytics’ specialist. In other words, it can crunch data to power decisions not just relating to credit but to debt management, insurance, healthcare, retail and more. It can make these judgements in seconds. And enterprises can then use the results as the start point for conversations with customers. Obviously, to do that they need a communications channel.
This is how FICO came to be in the SMS business.
Here’s an example. FICO offers financial clients a software package called Falcon Fraud Manager software. It uses artificial intelligence to detect fraud. When Falcon identifies an irregular transaction it will flag it, and then send a text alert to the customer at the point of sale asking if the purchase is legitimate. The SMS will ask the recipient to reply yes or no.
For a while, FICO used a company called Adeptra to manage these mobile comms. But in 2012, FICO realised how critical this process was becoming. As a result, it bought Adeptra and formed FICO Customer Communication Services to engage customers through phone calls, text messages, email and mobile app alerts.
Today, FICO contacts customers between two and four million times a day all over world. It’s proved a highly effective anti-fraud strategy.
But it’s not all good news. As MEF members know, fraudsters are now devising schemes to turn SMS itself into a tool for fraud. FICO recognises this. That’s why the company recently joined MEF in order to take part in MEF’s Trust in Enterprise Messaging Programme. We spoke to Adam Barrett, director of product management at FICO, to find out more.
Tell us a little about how important messaging is to FICO’s business.
We may be known for credit scoring, but what we really do is decision making analytics. Obviously, a crucial part of this process is telling end users about those decisions. And this can be very effective.
So, to give an example, we can help companies and customers with debt management. It’s important to stress that this is debt management not just debt collection. We can look at a set of metrics and see when a person is at risk of going into debt. Then we can work with the client to communicate with a customer before he or she goes delinquent.
We send the messages, but as far as the end user is concerned they come from their lender. We can do this with voice and email and app notifications as well as SMS. But we find SMS is especially efficient because people don’t always take calls and they don’t see emails immediately.
How much more effective is text than voice calling for example?
Well, look at Falcon, our anti-fraud software. It will monitor and score transactions based on the thresholds a client sets. When a transaction hits a set score, it will trigger an action to contact the customer.
Now, traditionally clients would have used live agents to make these calls. They would have worked on the basis of a 10 to 1 false positive ratio. That means for every 10 phone calls, an agent would find just 1 instance of fraud where the rest are genuine transactions.
FICO provides an automated self-service option through calls, texts, email and mobile app alerts, which we call a virtual agent. Our virtual agent can work faster and penetrate into lower risk bands, working a 30 to 1 false positive ratio using SMS. In other words, it can verify three times more suspicious transactions and every call connected to a live agent is a true fraud case.
When did you first become aware of fraudsters trying to manipulate your texts?
Initially it was with SIM swaps. We started to notice irregular SIM replacements, so we created a solution that takes a baseline of a customer’s SIM, then re-checks it prior to sending an SMS. If we detect a change, we will use an alternate method of contact to verify suspicious activity or deliver a one-time passcode.
Later we started to notice spoofing. This is where fraudsters make a purchase with a stolen card then use a different phone to reply that a transaction was OK. They might not know that an SMS alert was sent – but they might know the number to reply to. So they spoof a ‘yes’ response, before the genuine customer can reply.
One way we addressed this was to set up a carousel of hundreds of rotating reply numbers. This stops the fraudster from spoofing one known number.
It’s very hard to defend against this type of fraud. Education is important, of course. But we want to work with the industry to see what stakeholders can do collectively. That’s why we joined the MEF.”
Is SMisHing now a threat?
Very much so. This is where criminals send a text that looks like it’s from the bank. They are devising particularly insidious ways to do this. For example, some scammers now call a person and pretend to the person’s bank.
It starts by offering a credit or refund for some appealing amount, but to get it, the customer must reply ‘Yes’ to a text message. They then make a fraudulent purchase with that person’s card, but the cardholder okays it because they were primed to expect an SMS to which they reply immediately without realizing the message was for a different purpose.
How can you combat this?
It’s very hard to defended against this type of fraud. Education is important, of course. But we want to work with the industry to see what stakeholders can do collectively.
That’s why we joined the MEF. Whatever affects our clients affects us, and most of our clients – and messaging partners – are members. We like the MEF’s work here because it spans the entire ecosystem. It’s good for us to have a seat at the table, and I hope we can help find a solution that works and is genuinely enforcible.